Certificate-based encryption and public key infrastructure

Abstract

The present invention provides methods for sending a digital message from a sender (606) to a recipient (608) in a public-key based cryptosystem comprising an authorizer (606). The authorizer can be a single entity (606) or comprise a hierarchical or distributed entity (602, 604a-604b). The present invention allows communication of messages by an efficient protocol, not involving key status queries or key escrow, where a message recipient (608) can decrypt a message from a message sender (606) only if the recipient (608) possesses up-to-date authority from the authorizer. The invention allows such communication in a system comprising a large number (e.g. millions) of users.

Description

RELATED APPLICATIONS [0001] This application claims the benefit of U.S. provisional patent applications Ser. No. 60 / 406,721, filed Aug. 28, 2002, and 60 / 412,221, filed Sep. 20, 2002, the entire contents of which are fully incorporated herein by this reference.BACKGROUND OF THE INVENTION [0002] The present invention relates in general to cryptography and secure communication via computer networks or via other types of systems and devices, and more particularly to an improved method of implementation of public-key cryptography. [0003] A user of a public-key cryptography based communication system communicates with another user by means of two different keys, a public key and a private key. A user's public key and private key form a public key / private key pair. A message sender communicates securely with a message recipient by encrypting a message using the recipient's public key. The sender then sends the message to the recipient who decrypts the message using the recipient's private ...

AI Technical Summary

Benefits of technology

[0024] A decryption key generation schedule is established defining a validity period for a decryption key for the entity. The decryption key for the entit

Problems solved by technology

Distributing such large amounts of information requires significant resources on the part of the CA and is a barrier to the widespread implementation of public-key cryptography.

Since the CA may revoke many certificates before their intended expiration date, the CRL may become very long, particularly if the CA has many clients.

However, the transmission and infrastructure costs are still high.

However, computation costs increase because a fresh signature is required in response to every query.

Security also decreases because, if the CA is centralized, it becomes more vulnerable to denial-of-service (DoS) attacks.

First, the CA's computational load is much lower.

Second, unlike the distributed components of an OCSP, the directories in Novomodo need not be trusted.

However, Novomodo still requires certification status queries.

First, such inquiries may come from any user and concern any client.

Second, certificate status queries from the client multiply the query processing costs of the CA.

Third, nonclient queries are undesirable from a business model perspective.

It is unclear, economically, how the CA should handle queries from non-clients.

Finally, as mentioned above, if the CA must respond to queries from non-clients, it becomes more susceptible to DoS attacks.

However, practical identity-based encryption schemes have not been found until recently.

Existing identity-based cryptosystems, however, have had only limited acceptance.

As a result, existing identity-based cryptosystems have been vulnerable to passive attacks in which the CA, or any other party that discovers the master secret can determine shared secret of the two users.

Neither should such a scheme have the disadvantage of third party key escrow.

Images